P
US10097531B2ActiveUtilityPatentIndex 73

Techniques for credential generation

Assignee: AMAZON TECH INCPriority: Dec 29, 2010Filed: Sep 26, 2016Granted: Oct 9, 2018
Est. expiryDec 29, 2030(~4.5 yrs left)· nominal 20-yr term from priority
Inventors:BROOKER MARC JCAVAGE MARK JOSEPHBROWN DAVIDO'NEILL KEVIN ROSSBRANDWINE ERIC JASONJACQUES DE KADT CHRISTOPHER RICHARD
H04L 9/3247G06F 21/44H04L 63/08H04L 63/20H04L 63/10H04W 12/0431
73
PatentIndex Score
3
Cited by
27
References
20
Claims

Abstract

A plurality of virtual computing resources is detected to have been provisioned. Credentials are distributed to the plurality of virtual computing resources. A credentials map that maps the credentials to the plurality of virtual computing resources is updated. The credentials for the plurality of virtual computing resources are activated to enable the plurality of virtual computing resources to use the credentials to authenticate to a second computer system that manages a resource service, with the credentials being inaccessible to resources of the resource service. A virtual computing resource of the plurality of virtual computing resources is detected to been deprovisioned, and the credentials for the virtual computing resource are deactivated.

Claims

exact text as granted — not AI-modified
What is claimed is: 
     
       1. A computer-implemented method, comprising:
 distributing credentials to a plurality of virtual machine instances, wherein the credentials are specific to an identity of a customer associated with the plurality of virtual machine instances; 
 updating a credentials map that maps the credentials to the plurality of virtual machine instances; 
 activating the credentials for the plurality of virtual machine instances, thereby enabling the plurality of virtual machine instances to use the credentials to authenticate the identity with a computer system that manages a resource service; 
 verifying, using the credentials map, that a virtual machine instance of the plurality of virtual machine instances attempting to use the credentials is associated with the credentials; 
 determining that the virtual machine instance has been deprovisioned; and 
 deactivating one or more of the credentials in the credentials map that are mapped to the virtual machine instance. 
 
     
     
       2. The computer-implemented method of  claim 1 , wherein determining that the virtual machine instance has been deprovisioned occurs as a result of determining one or more of:
 that hardware allocated to the virtual machine instance has been deallocated from the virtual machine instance, or 
 that a memory state of the virtual machine instance has been stored to persistent storage. 
 
     
     
       3. The computer-implemented method of  claim 1 , wherein:
 the virtual machine instance is a first virtual machine instance; 
 the one or more of the credentials mapped to the first virtual machine instance are also mapped to a second virtual machine instance; and 
 after the one or more of the credentials have been deactivated for the first virtual machine instance, the one or more of the credentials remain activated for the second virtual machine instance. 
 
     
     
       4. The computer-implemented method of  claim 1 , further comprising receiving a command to distribute the credentials to at least two of the plurality of virtual machine instances. 
     
     
       5. The computer-implemented method of  claim 4 , wherein the command includes granularity information usable to determine:
 a quantity of credentials to generate for the plurality of virtual machine instances; and 
 identities of the plurality of virtual machine instances. 
 
     
     
       6. The computer-implemented method of  claim 1 , wherein updating the credentials map includes updating a table of an authentication service that associates credentials with virtual machine instances to indicate that the credentials are currently active for the plurality of virtual machine instances. 
     
     
       7. The computer-implemented method of  claim 6 , wherein updating the table involves:
 adding at least one row in the table, or 
 setting a field in the table for the credentials to a value that indicates that the credentials are active. 
 
     
     
       8. A system, comprising:
 one or more hardware processors; and 
 memory including instructions that, as a result of execution by the one or more hardware processors, cause the system to:
 distribute credentials to a plurality of virtual computing resources, wherein the credentials are specific to an identity of a customer associated with the plurality of virtual computing resources; 
 update a credentials map that maps the credentials to the plurality of virtual computing resources; 
 activate the credentials for the plurality of virtual computing resources to enable the plurality of virtual computing resources to use the credentials to authenticate the identity with another virtual resource service; 
 verify, using the credentials map, that a virtual computing resource of the plurality of virtual computing resources attempting to use the credentials is associated with the credentials; 
 determine that the virtual computing resource has been deprovisioned; and 
 deactivate one or more of the credentials that are mapped to the virtual computing resource in the credential map. 
 
 
     
     
       9. The system of  claim 8 , wherein:
 the other virtual resource service is a storage service; and 
 activation of the credentials enables the virtual computing resource to access a data store of the storage service. 
 
     
     
       10. The system of  claim 8 , wherein instructions include instructions that cause the system to, prior to distributing credentials to the plurality of virtual computing resources, determine, depending at least in part on receipt of a message that indicates that the virtual computing resource has been successfully provisioned, that the plurality of virtual computing resources has been provisioned. 
     
     
       11. The system of  claim 8 , wherein the instructions that cause the system to update the credentials map include instructions that cause the system to:
 add the credentials into the credentials map, or 
 tag the credentials in the credentials map to indicate that the credentials are active. 
 
     
     
       12. The system of  claim 8 , wherein the instructions further include instructions that cause the system to:
 obtain a policy conditioned on ownership of particular credentials; and 
 cause a second virtual computing resource to receive access to a resource of the other virtual resource service by providing proof of the ownership of the particular credentials to the other virtual resource service. 
 
     
     
       13. The system of  claim 8 , wherein the instructions that cause the system to determine that the virtual computing resource has been deprovisioned include instructions that cause the system to detect that a memory state of the virtual computing resource has been stored in persistent storage. 
     
     
       14. The system of  claim 8 , wherein individual virtual computing resources of the plurality of virtual computing resources receive different credentials from other individual virtual computing resources. 
     
     
       15. A non-transitory computer-readable storage medium having stored thereon executable instructions that, as a result of being executed by one or more processors of a first computer system, cause the first computer system to:
 distribute credentials to a plurality of virtual computing resources, wherein the credentials are specific to an identity of a customer associated with the plurality of virtual computing resources; 
 update a credentials map that maps the credentials to the plurality of virtual computing resources; 
 activate the credentials for the plurality of virtual computing resources to enable the plurality of virtual computing resources to use the credentials to authenticate the identity with a second computer system that manages a resource service; 
 verify, using the credentials map, that a virtual computing resource of the plurality of virtual computing resources attempting to use the credentials is associated with the credentials; 
 determine that the virtual computing resource has been deprovisioned; and 
 deactivate one or more of the credentials that are mapped to the virtual computing resource. 
 
     
     
       16. The non-transitory computer-readable storage medium of  claim 15 , wherein:
 the executable instructions further cause the first computer system to receive granularity information; and 
 the executable instructions that cause the first computer system to distribute the credentials include instructions that cause the first computer system to identify the plurality of virtual computing resources to which the credentials are to be distributed based at least in part on the granularity information. 
 
     
     
       17. The non-transitory computer-readable storage medium of  claim 15 , wherein the credentials encode a security policy that requires use of the credentials to be limited to the plurality of virtual computing resources. 
     
     
       18. The non-transitory computer-readable storage medium of  claim 15 , wherein the virtual computing resources include virtual machine instances. 
     
     
       19. The non-transitory computer-readable storage medium of  claim 15 , wherein the virtual computing resource is deprovisioned as a result of a determination of a security breach in connection with the virtual computing resource. 
     
     
       20. The non-transitory computer-readable storage medium of  claim 15 , wherein the executable instructions that cause the first computer system to distribute the credentials include instructions that cause the first computer system to provide the credentials from a web server having a predetermined network location.

Cited by (0)

No later patents cite this yet.

References (0)

No backward citations on record.